,dZddlmZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z ddl mZdd lmZdd lmZdd lmZd Zd ZdZdZdZdZdZy)zHelpers for create commands.)absolute_import)division)unicode_literals) exceptions)base)certificate_utils) request_utils)flags) resource_args) labels_utilc:tj|dtj|dtj|d|jjj }tj |dd|jj j }|rH|j|jk7r/tjddj|jt|dr$|jjj nd }|jjj }|rS|jj|jjk7rtjd d |||fS) zParses, validates and returns the resource args from the CLI. Args: args: The parsed arguments from the command-line. Returns: Tuple containing the Resource objects for (CA, source CA, issuer). kms_key_version issuer_poolfrom_caCERTIFICATE_AUTHORITYv1)version--kms-key-versionzGKMS key must be in the same location as the Certificate Authority ({}).N --from-cazYThe provided source CA must be a part of the same pool as the specified CA to be created.)r %ValidateResourceIsCompleteIfSpecifiedCONCEPTScertificate_authorityParseValidateResourceLocationr locationsIdrInvalidArgumentExceptionformathasattrrrParent RelativeName)argsca_refkms_key_version_ref issuer_ref source_ca_refs 8lib/googlecloudsdk/command_lib/privateca/create_utils.py_ParseCAResourceArgsr'sd55d|| _ n'|r%|j8j:j@| _ tjB| tjD|d } |r+tjF|s|j8jH} tjJ|} |r|j/ds |jL} tOjP||jRjT}tjV||}tjX||}|jS|r |jRjZj\n|jRjZj^| |ja| | || d||}|||fS)a Creates a GA CA object from CA create flags. Args: args: The parser that contains the flag values. is_subordinate: If True, a subordinate CA is returned, otherwise a root CA. Returns: A tuple for the CA to create with (CA object, CA ref, issuer). r api_versionN)namerz.The provided source CA could not be retrieved.rz9The DevOps tier does not support user-specified KMS keys.)subjectsubjectAltNamer- subject_fileT) is_ca_commandvalidity) subjectConfig x509Config subjectKeyId)typelifetimeconfigkeySpec gcsBucketuserDefinedAccessUrlslabels)1privateca_baseGetClientInstanceGetMessagesModuler'r1projects_locations_caPools_certificateAuthoritiesGetAPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequestr rrprojects_locations_caPools+PrivatecaProjectsLocationsCaPoolsGetRequestr ParseKeySpectierCaPoolTierValueValuesEnumDEVOPScloudKmsKeyVersion SubjectConfigSubjectSubjectAltNames IsSpecified ParseSubjectr-IsKnownAndSpecifiedParseSubjectFiler7r2SanFlagsAreSpecified ParseSanFlagsr.ValidateSubjectConfigParseX509ParametersX509ConfigFlagsAreSpecifiedr3ParseValidityFlagr6r ParseCreateArgsCertificateAuthority LabelsValueParseSubjectKeyIdParseUserDefinedAccessUrlsTypeValueValuesEnum SUBORDINATE SELF_SIGNEDCertificateConfig)r!is_subordinateclientmessagesr"r%r$pool_ref source_caca_poolkeyspecsubject_configx509_parametersr6r;skiuser_defined_access_urlsnew_cas r&CreateCAFromArgsrlRs/  + + =&  - -$ ?(&:4&@#&- ]]_()HHLLRR++- S I   / / G   - - 1 1::$$&; '   t $' llhoo99@@@  $ $  - -C  )) 1I1I1K*. i "//5N /"33D9N&--;;CCN %$)$7$7$=N!&&55!n---d$G/u88>&&11O $ $T *(t'' 3!!H  & & H ) ) 5 5 & h/##==dHM  ( (   ( ( < < H H  ( ( < < H H  ' '&$( 4  ) & &* %%r(cp|D]1}|j|jjjk(s1yy)z3Checks if there are any enabled CAs in the CA list.TF)staterXStateValueValuesEnumENABLED)ca_listrbcas r& HasEnabledCarss2 b xx800EEMMM   r(ctjd}|jjj|jjj g}d}|D]"}dj ||jvs!|}$|s&tjddj |||j|vr&tjddj ||y) aBChecks that an issuing CA is in the CA Pool and has a valid state. Args: ca_pool_name: The resource name of the containing CA Pool. issuing_ca_id: The CA ID of the CA to verify. ca_list: The list of JSON CA objects in the CA pool to check from Raises: InvalidArgumentException on validation errors rr*NzcertificateAuthorities/{}z --issuer-caz;The specified CA with ID [{}] was not found in CA Pool [{}] --issuer-poolzThe specified CA with ID [{}] in CA Pool [{}] is not ENABLED or STAGED. Please choose a CA that has one of these states to issue the CA certificate from.) r<r>rXrorpSTAGEDrr,rrrn) ca_pool_name issuing_ca_idrqrballowd_issuing_states issuing_carrs r&_ValidateIssuingCar{s - -$ ?(##88@@##88??* b"))-8BGGCj    - -ELL <  22  - - &}l C  3r(c F tjd}tjd}|jjj }|j j|j|}|j}|rt|||y|Dcgc]}|j}}||vr/tjddj|t|ycc}w#t j"$r&tjddj|wxYw)a'Checks that a CA Pool is valid to be issuing Pool for a subordinate. Args: ca_pool_name: The resource name of the issuing CA Pool. issuing_ca_id: The optional CA ID in the CA Pool to validate. Raises: InvalidArgumentException if the CA Pool does not exist or is not enabled. rr*)parentNruzThe issuing CA Pool [{}] did not have any CAs in ENABLED state of the {} CAs found. Please create or enable a CA and try again.z`The issuing CA Pool [{}] was not found. Please verify this information is correct and try again.)r<r=r>rXrorpr?ListBPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequestcertificateAuthoritiesr{rnrrrlenapitools_exceptionsHttpNotFoundError) rwrxrarb enabled_stateca_list_responserqrr ca_statess r&ValidateIssuingPoolrs!   - -$ ?F//DAH11FFNNMOOTTSS T  55G}g> %,,GbGI,I%  / /  K 6,G -  &-  . .  - - %%+VL%9 s$BC'C'C",5C'"C''9D c tjd}djtj}|j }dj||}|j }|j||tj||j|||} |jjjjr/|jjj | j"_| S)aHReturns the certificate create request with the given settings. Args: issuer_pool_ref: The resource reference for the issuing CA pool. csr: The Certificate Signing Request. issuer_ca_id: The CA ID of the CA to sign the CSR, if specified. new_ca: The CA object. Returns: A certificate create request. rr*zsubordinate-{}z{}/certificates/{})r,r6pemCsr) certificateIdr} requestIdissuingCertificateAuthorityId certificate)r<r>rrGenerateCertIdr r6:PrivatecaProjectsLocationsCaPoolsCertificatesCreateRequestr GenerateRequestId Certificater7r2r- rdnSequenceSubjectModeValueValuesEnum RDN_SEQUENCEr subjectMode) issuer_pool_refcsr issuer_ca_idrkrbcertificate_idissuer_pool_namecertificate_namer6 cert_requests r&_CreateCertificateCreateRequestrs - -$ ?(#**+<+K+K+MN.$113)00__(II&!!335(4**#+ J  ]]  ((4477DD( r(ctjd}t||||}|jj |S)aOIssues a certificate under the given issuer with the given settings. Args: issuer_pool_ref: The resource reference for the issuing CA pool. csr: The Certificate Signing Request. issuer_ca_id: The CA ID of the CA to sign the CSR, if specified. new_ca: The CA object. Returns: The certificate for the new CA. rr*)r<r=r'projects_locations_caPools_certificatesCreate)rrrrkrars r&SignCsrr<s@  + + =&0sL&,  7 7 > >| LLr(N)__doc__ __future__rrrapitools.base.pyrr googlecloudsdk.api_lib.privatecarr<rr googlecloudsdk.calliope$googlecloudsdk.command_lib.privatecar r $googlecloudsdk.command_lib.util.argsr r'rlrsr{rrrr(r&rsU#&'>C>:.6><0-fb&J#L*Z'TMr(